CVE-2026-1628 - Vulnerability Details - OpenCVE

Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

Update Mattermost Desktop App to versions 5.13.4.0 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates

History

Mon, 02 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596
Title		Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.
Weaknesses		CWE-829
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-03-02T13:24:21.391Z

Updated: 2026-03-02T14:58:30.546Z

Reserved: 2026-01-29T15:14:51.993Z

Link: CVE-2026-1628

Vulnrichment

Updated: 2026-03-02T14:58:22.983Z

NVD

Status : Received

Published: 2026-03-02T14:16:23.223

Modified: 2026-03-02T14:16:23.223

Link: CVE-2026-1628

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-829

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1628", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-01-29T15:14:51.993Z", "datePublished": "2026-03-02T13:24:21.391Z", "dateUpdated": "2026-03-02T14:58:30.546Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "5.13.3", "status": "affected", "version": "0", "versionType": "semver"}, {"version": "5.13.4.0", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "N/A"}], "descriptions": [{"lang": "en", "value": "Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 4.6}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere", "cweId": "CWE-829"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00596", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost Desktop App to versions 5.13.4.0 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00596", "defect": ["https://mattermost.atlassian.net/browse/MM-67374"], "discovery": "EXTERNAL"}, "title": "Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-02T13:24:21.391Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T14:57:20.504558Z", "id": "CVE-2026-1628", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T14:58:30.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1628", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T14:57:20.504558Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T14:58:22.983Z"}}], "cna": {"title": "Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67374"], "advisory": "MMSA-2026-00596", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "N/A"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.13.3"}, {"status": "unaffected", "version": "5.13.4.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Desktop App to versions 5.13.4.0 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00596", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-02T13:24:21.391Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1628", "state": "PUBLISHED", "dateUpdated": "2026-03-02T14:58:30.546Z", "dateReserved": "2026-01-29T15:14:51.993Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-03-02T13:24:21.391Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}